From mboxrd@z Thu Jan 1 00:00:00 1970 X-GM-THRID: 6878513829999804416 X-Received: by 2002:ac2:46fc:: with SMTP id q28mr5247031lfo.76.1601877967649; Sun, 04 Oct 2020 23:06:07 -0700 (PDT) X-BeenThere: isar-users@googlegroups.com Received: by 2002:a19:c7c8:: with SMTP id x191ls1640042lff.0.gmail; Sun, 04 Oct 2020 23:06:06 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwtqhUJtkcFFu33OniLo2XheIEWgEEYkEk6B6LkNPuncBnSD1oJzqJOjoTyTVVtKpBCwgzL X-Received: by 2002:ac2:4203:: with SMTP id y3mr4651079lfh.52.1601877966428; Sun, 04 Oct 2020 23:06:06 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1601877966; cv=none; d=google.com; s=arc-20160816; b=fkAx1ypoVjnhIXZTkM6TrtCljttWFcKRSCF3+JK40hehaiKtTWq73R9CgF4uinNpvM WKBOn2fr6jBpTm8ewHjpEnjZxDabyyAeuNIahwGNRM0Q2zYtLseG0rC0KDXrOFhQNjCu p/raZXjTfhXrOc/ajCN4Zeo0ivTS7+zaypMvddkqTvZiPFpxBCGKuEP20S57lrYwnxYd bRZpxU1WNTR+OUJiMuypX1E7z7LKkhVv8WDtCGuiqc2vLmpMV1kGewWlk2kzXFQS3ZiC zpKRH6wO+pePJ6Ct1qGjcwDA2asx+XiCeRL6IlqO4krzgc7Y51r5mWKhC3rz/4nlYJfY 3u1Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:content-language:in-reply-to:mime-version :user-agent:date:message-id:from:references:cc:to:subject; bh=1xOSZI4lPzd1jVg1hs2xq6bdB/dbuJzPN9o8EQ6a29g=; b=Si9VVR0hRDYQuxkzwZ4daq86CvfFBt2NYB9XfX2wsEJfFKn10I4sAgbyJUYSUG7ZOu aE4DGvMEk1UkqLDHaNN2Ow6xTWeINQPFWcfYCIk3woscHl8rphZeNrfbIXChchCEk+Ek Mvwc2ADBEyiUI0fOalTMuxx7v1zF+UG7kyBcqnZ3/V9QTTpI/ANnCRGtNk/nJ1NBL1gw qAxJXTDK05MNmUw1PswY0GqLNf19APlWXqblEdV0XlH8gnTnADh0vPEVBok5R3VJByuz uR8aru1mCqKNy1p7DWqhuu1tRLUJvKw3patXNOwp0alv7puU2mW/0GnnywTWQ/1NRBQ0 KS/g== ARC-Authentication-Results: i=1; gmr-mx.google.com; spf=pass (google.com: domain of jan.kiszka@siemens.com designates 192.35.17.14 as permitted sender) smtp.mailfrom=jan.kiszka@siemens.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=siemens.com Return-Path: Received: from david.siemens.de (david.siemens.de. [192.35.17.14]) by gmr-mx.google.com with ESMTPS id x74si237233lff.12.2020.10.04.23.06.06 for (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Sun, 04 Oct 2020 23:06:06 -0700 (PDT) Received-SPF: pass (google.com: domain of jan.kiszka@siemens.com designates 192.35.17.14 as permitted sender) client-ip=192.35.17.14; Authentication-Results: gmr-mx.google.com; spf=pass (google.com: domain of jan.kiszka@siemens.com designates 192.35.17.14 as permitted sender) smtp.mailfrom=jan.kiszka@siemens.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=siemens.com Received: from mail2.sbs.de (mail2.sbs.de [192.129.41.66]) by david.siemens.de (8.15.2/8.15.2) with ESMTPS id 095665Ij031826 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 5 Oct 2020 08:06:05 +0200 Received: from [167.87.39.163] ([167.87.39.163]) by mail2.sbs.de (8.15.2/8.15.2) with ESMTP id 095664xw018971; Mon, 5 Oct 2020 08:06:04 +0200 Subject: Re: [debsecan] meta/classes: export dpkg status file for debsecan To: Daniel Sangorrin Cc: isar-users@googlegroups.com References: <20201001050635.2880259-1-daniel.sangorrin@toshiba.co.jp> <20201001050635.2880259-2-daniel.sangorrin@toshiba.co.jp> From: Jan Kiszka Message-ID: Date: Mon, 5 Oct 2020 08:06:04 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.12.0 MIME-Version: 1.0 In-Reply-To: <20201001050635.2880259-2-daniel.sangorrin@toshiba.co.jp> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit X-TUID: W7KY4qxF6Lue On 01.10.20 07:06, Daniel Sangorrin wrote: > Although the currently exported manifest has enough > information for scanning vulnerabilities, the tool > debsecan depends on the /var/lib/dpkg/status file > format. This patch adds a feature to export such file. > > All rootfs'es export the file by default and with > the same file name syntax as the manifests, except > for the file extension which is ".dpkg_status" > instead of ".manifest". > > Remove the feature with: > ROOTFS_FEATURES_remove = "export-dpkg-status" > > Signed-off-by: Daniel Sangorrin > --- > meta/classes/image.bbclass | 3 ++- > meta/classes/rootfs.bbclass | 8 ++++++++ > meta/recipes-devtools/buildchroot/buildchroot.inc | 3 ++- > meta/recipes-devtools/sdkchroot/sdkchroot.bb | 3 ++- > 4 files changed, 14 insertions(+), 3 deletions(-) > > diff --git a/meta/classes/image.bbclass b/meta/classes/image.bbclass > index a296cc0..8e350a3 100644 > --- a/meta/classes/image.bbclass > +++ b/meta/classes/image.bbclass > @@ -63,9 +63,10 @@ image_do_mounts() { > } > > ROOTFSDIR = "${IMAGE_ROOTFS}" > -ROOTFS_FEATURES += "clean-package-cache finalize-rootfs generate-manifest" > +ROOTFS_FEATURES += "clean-package-cache finalize-rootfs generate-manifest export-dpkg-status" > ROOTFS_PACKAGES += "${IMAGE_PREINSTALL} ${IMAGE_INSTALL}" > ROOTFS_MANIFEST_DEPLOY_DIR ?= "${DEPLOY_DIR_IMAGE}" > +ROOTFS_DPKGSTATUS_DEPLOY_DIR ?= "${DEPLOY_DIR_IMAGE}" > > inherit rootfs > inherit image-sdk-extension > diff --git a/meta/classes/rootfs.bbclass b/meta/classes/rootfs.bbclass > index afec1cb..bd73ee6 100644 > --- a/meta/classes/rootfs.bbclass > +++ b/meta/classes/rootfs.bbclass > @@ -11,6 +11,7 @@ ROOTFS_PACKAGES ?= "" > # available features are: > # 'clean-package-cache' - delete package cache from rootfs > # 'generate-manifest' - generate a package manifest of the rootfs into ${ROOTFS_MANIFEST_DEPLOY_DIR} > +# 'export-dpkg-status' - exports /var/lib/dpkg/status file to ${ROOTFS_DPKGSTATUS_DEPLOY_DIR} > # 'finalize-rootfs' - delete files needed to chroot into the rootfs > ROOTFS_FEATURES ?= "" > > @@ -201,6 +202,13 @@ rootfs_generate_manifest () { > ${ROOTFS_MANIFEST_DEPLOY_DIR}/"${PF}".manifest > } > > +ROOTFS_POSTPROCESS_COMMAND += "${@bb.utils.contains('ROOTFS_FEATURES', 'export-dpkg-status', 'rootfs_export_dpkg_status', '', d)}" > +rootfs_export_dpkg_status() { > + mkdir -p ${ROOTFS_DPKGSTATUS_DEPLOY_DIR} > + cp '${ROOTFSDIR}'/var/lib/dpkg/status \ > + '${ROOTFS_DPKGSTATUS_DEPLOY_DIR}'/'${PF}'.dpkg_status > +} > + > ROOTFS_POSTPROCESS_COMMAND += "${@bb.utils.contains('ROOTFS_FEATURES', 'finalize-rootfs', 'rootfs_postprocess_finalize', '', d)}" > rootfs_postprocess_finalize() { > sudo -s <<'EOSUDO' > diff --git a/meta/recipes-devtools/buildchroot/buildchroot.inc b/meta/recipes-devtools/buildchroot/buildchroot.inc > index b4d7b76..e9c2cfe 100644 > --- a/meta/recipes-devtools/buildchroot/buildchroot.inc > +++ b/meta/recipes-devtools/buildchroot/buildchroot.inc > @@ -20,7 +20,8 @@ ROOTFSDIR = "${BUILDCHROOT_DIR}" > ROOTFS_PACKAGES = "${BUILDCHROOT_PREINSTALL}" > ROOTFS_CLEAN_FILES = "" > ROOTFS_MANIFEST_DEPLOY_DIR = "${DEPLOY_DIR_BUILDCHROOT}" > -ROOTFS_FEATURES += "generate-manifest" > +ROOTFS_DPKGSTATUS_DEPLOY_DIR = "${DEPLOY_DIR_BUILDCHROOT}" > +ROOTFS_FEATURES += "generate-manifest export-dpkg-status" > > BUILDCHROOT_PREINSTALL_COMMON = " \ > make \ > diff --git a/meta/recipes-devtools/sdkchroot/sdkchroot.bb b/meta/recipes-devtools/sdkchroot/sdkchroot.bb > index 467e682..796fefa 100644 > --- a/meta/recipes-devtools/sdkchroot/sdkchroot.bb > +++ b/meta/recipes-devtools/sdkchroot/sdkchroot.bb > @@ -22,8 +22,9 @@ ROOTFS_ARCH = "${HOST_ARCH}" > ROOTFS_DISTRO = "${HOST_DISTRO}" > ROOTFSDIR = "${S}" > ROOTFS_PACKAGES = "${SDKCHROOT_PREINSTALL} ${TOOLCHAIN}" > -ROOTFS_FEATURES += "clean-package-cache generate-manifest" > +ROOTFS_FEATURES += "clean-package-cache generate-manifest export-dpkg-status" > ROOTFS_MANIFEST_DEPLOY_DIR = "${DEPLOY_DIR_SDKCHROOT}" > +ROOTFS_DPKGSTATUS_DEPLOY_DIR = "${DEPLOY_DIR_SDKCHROOT}" > > python() { > if d.getVar("HOST_ARCH") not in ['i386', 'amd64']: > Looks good to me! Jan -- Siemens AG, Corporate Technology, CT RDA IOT SES-DE Corporate Competence Center Embedded Linux